In a recent wave of attacks, suspected Chinese hackers have exploited a zero-day vulnerability in Barracuda Email Security Gateway (ESG), with a particular focus on government and government-linked organizations in the Americas. The Mandiant report published today reveals that almost one-third of the appliances compromised in this campaign were owned by government agencies, primarily between October and December 2022.
"Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign," Mandiant reported. The report further highlighted that while local government targeting makes up just under seven percent of all identified affected organizations, this percentage increases to nearly seventeen when compared to U.S.-based targeting alone.
The main goal of these attacks was espionage. The threat actor, identified as UNC4841, engaged in targeted exfiltration from systems belonging to high-profile users in government and high-tech verticals. On May 20, Barracuda warned customers that the vulnerability was being exploited to breach ESG appliances and subsequently patched all vulnerable devices remotely.
Ten days later, Barracuda disclosed that the zero-day bug had been exploited in attacks for at least seven months, since October 2022, to deploy previously unknown malware and steal data from compromised systems. Customers were advised a week later to immediately replace hacked appliances, even those already patched. According to Mandiant, approximately 5% of all ESG appliances were breached in the attacks.
The attackers deployed previously unknown malware, including SeaSpy and Saltwater, and a malicious tool, SeaSide, to gain remote access to compromised systems via reverse shells. The Cybersecurity and Infrastructure Security Agency (CISA) also provided details on Submarine (also known as DepthCharge) and Whirlpool malware that was deployed in the same attacks as later-stage payloads to maintain persistence after Barracuda's May 20 advisory on a small number of previously compromised devices. Mandiant believes these devices belonged to high-value targets.
"We're contending with formidable adversaries that boast vast resources, funding, and the know-how to successfully execute global espionage campaigns undetected. China-nexus espionage actors are improving their operations to be more impactful, stealthy, and effective," Austin Larsen, Mandiant Senior Incident Response Consultant, stated.
Despite Barracuda and Mandiant finding no evidence of new ESG appliances being compromised via CVE-2023-2868 exploits after they were patched, the FBI warned last week that the patches are "ineffective," and that patched devices are still being compromised in ongoing attacks. The FBI also reinforced Barracuda's warning, advising customers to isolate and replace hacked appliances as soon as possible, investigate their networks for potential breaches, and revoke and rotate enterprise-privileged credentials (e.g., Active Directory) to thwart the attackers' attempts to maintain network persistence.
"The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit," the agency stated. "The FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability."
Barracuda's security products are used by more than 200,000 organizations worldwide, including government entities and high-profile companies.